Logging of user activity
Hi
We have some customers, who have created multiple users on their cPanel account.
These customers are now asking if it is possible to see what settings the users have changed. They are especially interested in changes made to DNS.
Is there such a feature available in WHM/cPanel so that we can see it from WHM or maybe the user can see it themselves from within cPanel?
If this feature is not currently available, is there then any plans to introduce this in the near future.
Our European customers have been told by security advisors that their hosting provider must have this feature to be GDPR compliant, so we just wanted to be sure if such a feature exists or not.
-
I am NOT a lawyer, so the following is my personal observations and opinion. Whilst every EU member country that is subject to the GDPR is free to introduce their own interpretation into law, I believe we should examine the overall intention of the regulation. The GDPR was intended to quantify what personally identifiable information was being collected about anyone, and how that information was recorded/stored/processed/disseminated. Of course, with the above in mind, we should need to ascertain if the recorded information meets the definition of being personally identifiable - and that is not something that is easy to do, and indeed there are many and varied (sometime conflicting) opinions as to exactly what combinations of data are required to fulfil any such criteria. Our European customers have been told by security advisors that their hosting provider must have this feature to be GDPR compliant
My take on this statement is that either the advisors have got it fundamentally wrong, or that they are actually trying to make an entirely different point. Starting from the requirement that a person is entitled to ask for all records about them to be made available in a digital format, it would follow that if cPanel recorded anything, in any log, that may be of a personally identifiable nature, the operator of the WHM/cPanel server would be obligated to extract and make any such data available to that person on demand. So what we are looking at is not a requirement to log the information (if nothing is logged, it cant possibly be personally identifiable information) but rather to have an easy way of extracting any information that is logged, and being able to present it in an acceptable digital format to the person who has demanded it. The lack of any such utility or tool encourages server operators to discontinue logging of anything that might possibly be considered to be personally identifiable in order to remain compliant (the fines for non compliance are ridiculous, and can be millions of Euros), and results in a significant reduction in server security and their ability to audit and troubleshoot both security and technical issues. I consider that it is the responsibility of any company that is marketing software into the EU GDPR compliance zone, to ensure that their software includes any, and all, facilities, features and tools necessary for full compliance with the GDPR and any other EU requirement. If software does not meet, or cannot comply with, the legislative requirements of a country or area, it should not be be sold into that zone. The old caveat of 'Buyer Beware' with the usual clause about the software 'suitability for use' just does not stand up either morally or ethically in my opinion, even if it does legally. Thanks for reading.0 -
Hi I do agree that different countries have different ways on understanding GDPR. Even different "security" advisors have different opinions on how to understand and implement GDPR compliance. This is also why it can be problematic and we have also seen competitors simply disable all server logs to avoid issues since they have found, or been told, that the IP-address is personally identifying information. Anyhow, the main question is still if there is a way to either see user activity or enable a feature to be able to log user activity. 0 -
We have some customers, who have created multiple users on their cPanel account.
Could you expand on this a bit more please? How ere these users created exactly? Was the User Manager in cPanel, used? Those users would not have any access to modify DNS settings, AFAIK.0 -
Hi Our customers have created multiple users inside cPanel under User Manager. This is done to avoid sharing one password. But for example when they give the marketing department access, then they can see many things and could perhaps make a breaking change to the DNS settings. Currently we have no way to see what was changed by who, using the UI. But if there is a way for us to see it in a logfile on the server, then it is also fine. 0 -
...they can see many things and could perhaps make a breaking change to the DNS settings.
They would need to be logging in as the cPanel account owner to do this though. User Manager - Version 76 Documentation - cPanel Documentation0 -
Our customers have created multiple users inside cPanel under User Manager. This is done to avoid sharing one password. But for example when they give the marketing department access, then they can see many things and could perhaps make a breaking change to the DNS settings.
I don't understand that. When you create users under the cPanel user manager, the only things they can access is Email/FTP/Web Disk (whatever combination that they were allocated) and I don't see how any of those would be able to access or alter eg DNS settings ?0 -
You cannot create multiple cPanel users. You can create multiple FTP users, Webdisk Users and Email users but none of them would have access to the cPanel UI. We have some pretty informative documentation on this here: User Manager - Version 76 Documentation - cPanel Documentation 0
Please sign in to leave a comment.
Comments
7 comments